---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: access-to-trickster-http
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "trickster")) | nindent 2 }}
rules:
- apiGroups: ["apps"]
  resources: ["deployments/http"]
  resourceNames: ["trickster"]
  verbs: ["get", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: access-to-trickster-http
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "trickster")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: access-to-trickster-http
subjects:
- kind: Group
  name: ingress-nginx:auth
- kind: Group
  name: prometheus:auth
- kind: ServiceAccount
  name: prometheus
  namespace: d8-monitoring
{{- if (.Values.global.enabledModules | has "upmeter") }}
- kind: ServiceAccount
  name: upmeter-agent
  namespace: d8-upmeter
{{- end }}
{{- if (.Values.global.enabledModules | has "prometheus-metrics-adapter") }}
- kind: ServiceAccount
  name: prometheus-metrics-adapter
  namespace: d8-monitoring
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: access-to-trickster-prometheus-metrics
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "trickster")) | nindent 2 }}
rules:
- apiGroups: ["apps"]
  resources: ["deployments/prometheus-metrics"]
  resourceNames: ["trickster"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: access-to-trickster-prometheus-metrics
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "trickster")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: access-to-trickster-prometheus-metrics
subjects:
- kind: User
  name: d8-monitoring:scraper
- kind: ServiceAccount
  name: prometheus
  namespace: d8-monitoring
